[WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit:...
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Apr 2016 18:26:20 +0000 (18:26 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Apr 2016 18:26:20 +0000 (18:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156747
<rdar://problem/24648176>

Reviewed by Alexey Proskuryakov.

Source/WebKit2:

FileSystemCF::fileSystemRepresentation return a null string when presented with a file URL that contains embedded nulls. When
this happens, SandboxExtension::createHandle attempts to pass a null string to 'resolveSymlinksInPath', which attemps to call
'strrchr' on the null pointer, causing a crash.

Test: fast/url/file-uri-with-embedded-null-no-crash.html

* Shared/mac/SandboxExtensionMac.mm:
(WebKit::SandboxExtension::createHandle): If 'fileSystemRepresentation' is null, return early with an error.

LayoutTests:

* fast/url/file-uri-with-embedded-null-no-crash-expected.txt: Added.
* fast/url/file-uri-with-embedded-null-no-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199778 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html [new file with mode: 0644]
Source/WebKit2/ChangeLog
Source/WebKit2/Shared/mac/SandboxExtensionMac.mm

index 8c079e4..0e5117a 100644 (file)
@@ -1,3 +1,14 @@
+2016-04-20  Brent Fulgham  <bfulgham@apple.com>
+
+        [WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit::resolveSymlinksInPath(WTF::CString const&) + 159
+        https://bugs.webkit.org/show_bug.cgi?id=156747
+        <rdar://problem/24648176>
+
+        Reviewed by Alexey Proskuryakov.
+
+        * fast/url/file-uri-with-embedded-null-no-crash-expected.txt: Added.
+        * fast/url/file-uri-with-embedded-null-no-crash.html: Added.
+
 2016-04-20  Dave Hyatt  <hyatt@apple.com>
 
         Hangable punctuation measurement using the wrong indices.
diff --git a/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt b/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt
new file mode 100644 (file)
index 0000000..c2c451b
--- /dev/null
@@ -0,0 +1,4 @@
+Tests that attempting to ping an invalid file URI doesn't crash WebKit.
+
+Click Me
+The test passes if it does not crash.
diff --git a/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html b/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html
new file mode 100644 (file)
index 0000000..8a861cf
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<p>Tests that attempting to ping an invalid file URI doesn't crash WebKit.</p>
+<a href="#" ping="file://%00/%00/x">Click Me</a><script>document.querySelector('a').click();</script>
+<p>The test passes if it does not crash.</p>
+</body>
+</html>
\ No newline at end of file
index 9dc4717..9023e1b 100644 (file)
@@ -1,3 +1,20 @@
+2016-04-20  Brent Fulgham  <bfulgham@apple.com>
+
+        [WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit::resolveSymlinksInPath(WTF::CString const&) + 159
+        https://bugs.webkit.org/show_bug.cgi?id=156747
+        <rdar://problem/24648176>
+
+        Reviewed by Alexey Proskuryakov.
+
+        FileSystemCF::fileSystemRepresentation return a null string when presented with a file URL that contains embedded nulls. When
+        this happens, SandboxExtension::createHandle attempts to pass a null string to 'resolveSymlinksInPath', which attemps to call
+        'strrchr' on the null pointer, causing a crash.
+
+        Test: fast/url/file-uri-with-embedded-null-no-crash.html
+
+        * Shared/mac/SandboxExtensionMac.mm:
+        (WebKit::SandboxExtension::createHandle): If 'fileSystemRepresentation' is null, return early with an error.
+
 2016-04-19  Alex Christensen  <achristensen@webkit.org>
 
         Fix CMake build.
index d528d55..1842540 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -217,7 +217,13 @@ bool SandboxExtension::createHandle(const String& path, Type type, Handle& handl
     ASSERT(!handle.m_sandboxExtension);
 
     // FIXME: Do we need both resolveSymlinksInPath() and -stringByStandardizingPath?
-    CString standardizedPath = resolveSymlinksInPath(fileSystemRepresentation([(NSString *)path stringByStandardizingPath]));
+    CString fileSystemPath = fileSystemRepresentation([(NSString *)path stringByStandardizingPath]);
+    if (fileSystemPath.isNull()) {
+        LOG_ERROR("Could not create a valid file system representation for the string '%s' of length %lu", fileSystemPath.data(), fileSystemPath.length());
+        return false;
+    }
+
+    CString standardizedPath = resolveSymlinksInPath(fileSystemPath);
     handle.m_sandboxExtension = WKSandboxExtensionCreate(standardizedPath.data(), wkSandboxExtensionType(type));
     if (!handle.m_sandboxExtension) {
         LOG_ERROR("Could not create a sandbox extension for '%s'", path.utf8().data());